MindSetPlus← Back to home
Legal

Privacy Policy

Last updated · June 11, 2026
MindSetPlus (operated by Mindset Labs Private Limited) is an AI-powered emotional wellness platform. We treat the information you share with us — especially your moods, journals, conversations with Saathi, and exchanges with your care provider — as deeply personal. This policy explains exactly what we collect, why, where it lives, and the choices you have.
The short version. Your journals and chat messages with your doctor are encrypted at rest with AES-256. Your data is hosted in India. We never sell your information. Saathi is a wellness companion — not a doctor — and is never used as a substitute for professional care or emergency services.

1. Who this policy applies to

This policy applies to everyone who uses MindSetPlus — patients (both direct-to-consumer and those connected through a clinician via a license code), verified mental health professionals, organisations evaluating our B2B offering, and visitors to our marketing website.

2. Information we collect

2.1 Information you provide to create and use your account

  • Phone number — required for WhatsApp OTP-based sign-in. We do not store passwords for patients or doctors.
  • Profile details — first name, last name, optional email address, optional date of birth, and optional profile photo.
  • Preferences — preferred language (e.g., English, Hindi) and your chosen Saathi conversational tone.
  • Consent records — whether you have granted data-processing consent, and the timestamp when you granted it.
  • License code (B2B patients only) — if you join via a clinician’s license code, we link your account to that clinician and grant Pro access.

2.2 Wellness content you create inside the app

  • Mood entries — the mood you logged, an optional short note, and the date.
  • Journal entries — title, body text, optional photos, and AI-generated summaries. Body text and AI summaries are stored encrypted at rest (AES-256). You control whether a journal is shared with your connected doctor.
  • Saathi conversations — your chats with the Saathi AI companion are used to generate short, abstracted “memory” summaries (max 200 characters) that help Saathi remember context. Raw transcripts are never exposed in clinician dashboards.
  • Wellness activities — which exercises or programs you completed, and when.
  • Doctor ↔ patient chat messages — encrypted at rest. Only you and your connected clinician can read them.
  • Safety plan — warning signs, coping strategies, support people, reasons to live, and professional contacts that you and your clinician co-author.
  • Clinical assessments — e.g., PHQ-9 / GAD-7 style screeners assigned by your clinician, your responses, and computed scores.

2.3 Information clinicians provide

  • Professional profile — specialty, years of experience, registration number, bio, clinic name and address.
  • Verification documents — medical council certificate, degree certificate, and specialty certificate uploaded to secure object storage in India for admin verification.
  • Clinical notes — notes a clinician writes about a patient under their care.
  • Session records — scheduled appointments and (where applicable) session note files.

2.4 Information collected automatically

  • Authentication records — refresh tokens, WhatsApp / email OTP records (one-time, short-lived).
  • Push notification tokens — device tokens for iOS, Android, or web push, so we can deliver reminders and crisis alerts.
  • Access & audit logs — an append-only audit trail of who accessed which protected health information, when, from what IP address and user agent, and whether the request succeeded. This is a safety and compliance requirement.
  • Streaks and last-active dates — used to power streak counters and basic engagement signals.
  • Crisis events — when the platform’s crisis workflow triggers, what triggered it, your response, and whether your doctor was notified.

2.5 Information collected on the marketing website

  • Waitlist — email address only.
  • Professional interest form — name, specialization, email, optional message.
  • Pricing inquiry form — name, specialization, email, phone, and the number of licenses you’re evaluating.
  • Behavioural analytics — on the marketing website only, we use Microsoft Clarity to understand how visitors navigate the site (clicks, scrolls, session replays of marketing pages, device and browser information, approximate location). This is used to improve the marketing site itself. Microsoft Clarity is not installed in the patient mobile app, the clinician portal, or the admin panel — it never sees protected health information, journals, mood entries, Saathi conversations, or doctor-patient messages.

3. Sensitive personal data & health information

Your moods, journals, Saathi conversations, doctor messages, assessments, safety plan, clinical notes, and crisis-event records are sensitive personal data and protected health information (PHI). We give them additional protection:

  • Encrypted at rest using AES-256 (journal bodies, AI summaries, doctor-patient chat).
  • Never written to application logs in raw form.
  • Never used to train third-party AI models.
  • Every read of PHI is recorded in an immutable audit log.
  • Strict per-user isolation — every query for patient-owned data is scoped to the owner’s identifier.

4. How we use your information

  • To run the core MindSetPlus product — sign you in, deliver Saathi conversations, log moods and journals, schedule sessions, route messages between you and your clinician.
  • To compute the 3-day rolling mood average and trigger our crisis-safety workflow when needed.
  • To generate short, abstracted memory summaries that help Saathi maintain context across conversations.
  • To verify clinician credentials before granting them access to patient features.
  • To send WhatsApp OTPs, push notifications about appointments and check-ins, and (only if you opt in) marketing updates.
  • To maintain the security, integrity, and reliability of the platform — including abuse prevention, rate limiting, and fraud detection.
  • To meet legal, regulatory, and audit obligations.

5. Legal bases for processing (DPDP Act 2023)

  • Your consent — captured the first time you sign in. We store the timestamp.
  • Legitimate uses — to deliver the service you signed up for, respond to safety/crisis events, and comply with law.

6. Who we share information with

We do not sell your personal information. We share it only in these specific situations:

  • With your connected clinician — your mood trend, journals you explicitly shared, assessment results, safety plan, and chat messages. B2B (license-code) patients are auto-connected to their issuing clinician on signup.
  • With institutional B2B customers — aggregated, de-identified usage data only. We never expose individual patient data to an institution’s administrators.
  • With service providers we rely on — see Section 8 for the list.
  • For safety — if there is an imminent risk of serious harm to you or others, we may notify your connected clinician, your designated safety contacts, or emergency services as required by law.
  • For legal compliance — to comply with a valid legal order, regulatory request, or law-enforcement requirement under Indian law.

7. Data residency & international transfers

MindSetPlus is an India-first product. Our primary databases and object storage reside in India-region cloud infrastructure. Some service providers (for example, the AI model providers we use for Saathi) may process data outside India under contractual data-protection commitments. We minimise the personal information sent to such providers and never send raw, identifiable health content without appropriate contractual safeguards in place.

8. Service providers

We use the following categories of processors to deliver MindSetPlus:

  • Cloud hosting & databases — India-region cloud infrastructure for our PostgreSQL database, Redis cache, and object storage.
  • WhatsApp Business API — to deliver one-time login codes.
  • AI model provider — to power Saathi and journal AI summaries. We send only the minimum context required; raw identifiers are stripped where possible and a contractual data-processing agreement is in place before any identifiable patient context is sent.
  • Push notification gateways — Apple Push Notification service, Firebase Cloud Messaging, and web push, to deliver reminders and crisis alerts.
  • Object storage — for profile photos, journal photos, doctor verification documents, and session notes.
  • Microsoft Clarity — behavioural analytics (heatmaps, session replays, click and scroll data) limited to the marketing website only. Clarity is not embedded in the patient mobile app, clinician portal, or admin panel, and therefore has no access to protected health information.

9. Security

We protect your information with layered controls:

  • Authentication. Patients and doctors sign in with WhatsApp-delivered OTPs. There are no passwords to phish. OTPs expire in 5 minutes.
  • Encryption in transit. All client ↔ server traffic uses TLS.
  • Encryption at rest. Journal content, AI summaries, and doctor-patient chat are encrypted at the field level with AES-256. Database storage volumes are encrypted at rest.
  • Access control. Doctors only see patients they are connected to. Institutional admins see only aggregate data. Super-admin access is restricted, logged, and used only for support / verification tasks.
  • Audit logging. Every read of protected health information is recorded in an append-only audit log including timestamp, actor, IP, user agent, and outcome.
  • Doctor verification. Clinicians are admin-verified against their registration documents before they can take any write action on patient data.
  • Crisis safety. The crisis workflow cannot be silenced or dismissed without an explicit user response.

10. How long we keep your information

  • While your account is active — for as long as you continue to use MindSetPlus.
  • After you delete your account — we delete your personal profile and wellness content within 30 days. Encrypted backups containing your data are purged in line with our backup-rotation schedule (no longer than 90 days).
  • Audit logs — retained for the minimum period required by applicable health and data-protection law.
  • Aggregated, de-identified usage data — may be retained indefinitely.
  • License records — clinicians’ license-pack and invoicing records are retained for the period required by Indian tax and corporate law.

11. Your rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Correct or update inaccurate or incomplete information.
  • Erase your account and associated personal data.
  • Withdraw consent for data processing at any time (this will end your ability to use the service).
  • Nominate another person to exercise these rights in the event of your death or incapacity.
  • Lodge a grievance with our Grievance Officer (Section 14) and, if unresolved, escalate to the Data Protection Board of India.

To exercise any of these rights, email support@mindsetplus.ai from the address registered to your account, or use the in-app data-export and account-deletion controls when available.

12. Children

MindSetPlus is not intended for children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at support@mindsetplus.ai and we will delete the account and data.

13. Saathi, AI, and what the AI is — and isn’t

Saathi is an AI emotional-wellness companion. Saathi does not diagnose, prescribe, or replace therapy. Conversations with Saathi are processed by a third-party AI model provider under a data-processing agreement. Short, abstracted “memory” summaries (max 200 characters, with vector embeddings) are stored so Saathi can keep context across sessions; raw conversation text is never displayed to clinicians.

If you are in crisis or considering self-harm, please reach a human immediately: Tele-MANAS 14416, Vandrevala Foundation 9999 666 555, iCall 9152 987 821, or AASRA 022-2754-6669. These helplines operate 24×7.

14. Grievance Officer & contact

Under the DPDP Act and the Information Technology Rules, the following is our designated point of contact for privacy concerns:

  • Email: support@mindsetplus.ai
  • Postal address: Mindset Labs Private Limited, India (full address available on request).

We acknowledge grievances within 72 hours and aim to resolve them within 30 days.

15. Changes to this policy

We will update this policy as the product and the law evolve. When we make material changes, we will notify you in-app or by email before the changes take effect. The “Last updated” date at the top of this page always reflects the most recent version.